Indians and privacy

[Anorion]

sure okay, but what is the problem with the app?
The app itself does not have the capability for misuse at this point of time.

Thing is, let us just say that the worst case scenario is that the govt is trying to consolidate its power by putting itself in the centre of personal life instead of being a service provider in civic life, then the point of attack should not be the app. If the worst case scenario is indeed true, then attacking the app will not achieve anything, better to channel all efforts to a better personal data regime. This is stuck in limbo because of pushback from stakeholders, where simple services such as Wikipedia will not work because the proposed data privacy regime is actually harsher than GDPR! No one has checked if the app is GDPR compliant btw. IMO we need to go through the entire process and find out exactly how claustrophobic these surveillance tech can get before there is sufficient public push back to effect actual change. It took like 15 years before the UK started destroying the national DNA database, IMO, India has to go through this journey if the surveillance gets oppressive. It might just turn out to be fine. We cannot say at this point in time.

 

[Desmond]

Thing is, let us just say that the worst case scenario is that the govt is trying to consolidate its power by putting itself in the centre of personal life instead of being a service provider in civic life, then the point of attack should not be the app

If there is even a 1% chance that the data can be abused, how to ensure accountability?

If the worst case scenario is indeed true, then attacking the app will not achieve anything

Only thing I want is transparency. I am not against installing the app as long as there is transparency as to what data is being collected and how it is processed. Publishing the source code will help in this regard. It will also calm down privacy activists and lawyers and improve the image of the govt. It's win-win.

In either case, I will defer to the Internet Freedom Foundation's judgement in this regard.

 

[Nerevarine]

No one is doubting the intention of the app by the way. Adhar was also intended to be a population registry of sorts but look how many data breaches related to adhar has happened so far, that too was given to a private body for implementation, I think it was Infosys.

External audit is only solution to solve this imo. Especially since the app is a non profit app..
And look at the positive scenario. Maybe such open source contribution will let other countries join in. This can really boost India's rep.

 

[whitestar_999]

No one is doubting the intention of the app by the way. Adhar was also intended to be a population registry of sorts but look how many data breaches related to adhar has happened so far, that too was given to a private body for implementation, I think it was Infosys.

No, the only infosys connection to Aadhaar is Nandan Nilekani. Also all those data leaks happened at registration/end usage side & never from UIDAI/Aadhaar core infrastructure.

 

[Anorion]

There has been no data breach from Aadhaar, it was mostly during the on boarding process, and the punishment for that was harsh. For example, the guy who revealed Dhoni's details on social media, that entire agency was shut down.

Internet Freedom Foundation had a webinar on Friday, more details here here. Sat through one hour of that. There were zero relevant points made about Aarogya Setu, everything was not about the functionality of the app but about larger privacy concerns. When questioned specifically about it, Apar says something like "it is all connected", while giving no concrete points on the app itself. You cannot really convince people based on what the government may or may not do in the future.

So far, still no single legitimate issue when it comes to the app.

Simple thing is the data for a vast majority of the users does not even leave the device. For example, more than 4,92,212 people are using the app in 10km radius of me, but only 113 are infected, and the servers contain the details of only these 113 people.

 

[Nerevarine]

@whitestar_999 @Anorion
Can you guys link a source for that adhar breach issue. If what you say is true, then my bad. I should have researched that.
My second point still stands though.

 

[Anorion]

Its difficult to give a link to aadhaar breach issue, as each individual case has to be addressed to say there has been no breach. However, here is a list to UIDAI press releases, where they have responded to all the reports and rumours of alleged breaches. When flurries of the reports were coming in, top people at UIDAI were periodically informing people that there were no breaches so far, something that was even clarified in the supreme court.

Now coming to the app, this is how the data is actually used
-user data saved locally on smartphone is deleted after 30 days
-user data saved in the cloud for even those who test positive is deleted after 60 days

And about the open source thing, Niti Aayog has committed to releasing the source code once they have a stable release, as the app is still under development.

So really, there is no problem with this particular app. Highly doubt that all the tech has been developed in house from scratch. This is all pure speculation, but will go ahead and post the basis of my suspicions anyway. The symptom tracker implementation is similar to what is outlined in this whitepaper. The on boarding process is similar to what has been proposed here by a Stanford student. Finally, the BlueTooth chirping component could be the PACT protocol by MIT or BlueTrace developed by Singapore, both of which are open source. It's highly unlikely that NIC developed their own protocol in three days. I am not sure if all of this is exactly what they did, but if you do put these things together, you will end up with an app very similar to Aarogya Setu.

 

[whitestar_999]

Just read the so called Aadhaar breach articles & UIDAI replies. You will find that leak happened at other/non-UIDAI end at the time of registration(like those Dhoni details leaked issue) or govt department error( Over 200 government sites reveal Aadhaar details; no leakage from UIDAI: Minister ) etc.

 

[Desmond]

All of these will be verified once the source code is released. I think this is a good first step in releasing public sector code as open source. IMO all software developed using tax payer money should be open source.

 

[Desmond]

NHS UK releases source code of their COVID-19 app - nhsx/COVID-19-app-Android-BETA

Sent from my GM1911 using Tapatalk

 

[Nerevarine]

The French ethical hacker pointed out glaring flaws in the aarogya setu app

 

[Anorion]

https://twitter.com/i/web/status/1257755315614801921

changing radius and gps spoofing across india will give location nd number of positive cases, which is anyway public

 

[Anorion]

Aarogya Setu source code is now available on Github

 

[Desmond]

Aarogya Setu source code is now available on Github

Nice. I've been going through this. It seems like a standard Bluetooth proximity scanner and location reporting app. I wish they also shared the server source code.

Sent from my GM1911 using Tapatalk

 

[Anorion]

Server source code and iOS source code coming up.

Buut this happen:

Fake Aarogya Setu apps carrying spyware spotted

Pakistan's ISI creates fake Aarogya Setu app to snoop on Indian officials

 

[Desmond]

Server source code and iOS source code coming up.

Buut this happen:

Fake Aarogya Setu apps carrying spyware spotted

Pakistan's ISI creates fake Aarogya Setu app to snoop on Indian officials

That's what we have verified accounts on Google play for. But yeah, I kind of expected this to happen. As long as people download from the original Google play store account, there should be no issue.

Sent from my GM1911 using Tapatalk

 

[Nerevarine]

That's what we have verified accounts on Google play for. But yeah, I kind of expected this to happen. As long as people download from the original Google play store account, there should be no issue.

Sent from my GM1911 using Tapatalk

Good luck teaching that to majority of people

 

[skeletor]

Indians don't care about privacy because they do nothing wrong. When someone does nothing wrong, he/she doesn't need to care about privacy.

 

[whitestar_999]

Indians don't care about privacy because they do nothing wrong. When someone does nothing wrong, he/she doesn't need to care about privacy.

 

[Nerevarine]

Indians don't care about privacy because they do nothing wrong. When someone does nothing wrong, he/she doesn't need to care about privacy.

This hits too close to home, with some interaction with my peers man